OTSSignsOrchestrator.Server/Health/Checks/OauthAppAgeHealthCheck.cs

using OTSSignsOrchestrator.Server.Data.Entities;

namespace OTSSignsOrchestrator.Server.Health.Checks;

/// <summary>
/// Checks the age of the OAuth2 application credentials from <see cref="OauthAppRegistry.CreatedAt"/>.
/// Alerts Warning at 180 days, Critical at 365 days. AutoRemediate=false — suggests
/// a "rotate-oauth2" job instead.
/// </summary>
public sealed class OauthAppAgeHealthCheck : IHealthCheck
{
    /// <summary>Days at which severity escalates to Warning.</summary>
    internal const int WarningThresholdDays = 180;

    /// <summary>Days at which severity escalates to Critical.</summary>
    internal const int CriticalThresholdDays = 365;

    public string CheckName => "OauthAppAge";
    public bool AutoRemediate => false;

    public Task<HealthCheckResult> RunAsync(Instance instance, CancellationToken ct)
    {
        var oauthApp = instance.OauthAppRegistries
            .OrderByDescending(o => o.CreatedAt)
            .FirstOrDefault();

        if (oauthApp is null)
            return Task.FromResult(new HealthCheckResult(HealthStatus.Degraded,
                "No OAuth app registered"));

        var ageDays = (DateTime.UtcNow - oauthApp.CreatedAt).TotalDays;

        if (ageDays >= CriticalThresholdDays)
        {
            return Task.FromResult(new HealthCheckResult(HealthStatus.Critical,
                $"OAuth2 credentials are {(int)ageDays} days old (critical threshold: {CriticalThresholdDays}d)",
                "Create a 'rotate-credentials' job to rotate the OAuth2 application"));
        }

        if (ageDays >= WarningThresholdDays)
        {
            return Task.FromResult(new HealthCheckResult(HealthStatus.Degraded,
                $"OAuth2 credentials are {(int)ageDays} days old (warning threshold: {WarningThresholdDays}d)",
                "Schedule credential rotation before they reach 365 days"));
        }

        return Task.FromResult(new HealthCheckResult(HealthStatus.Healthy,
            $"OAuth2 credentials are {(int)ageDays} days old"));
    }
}
feat: Implement provisioning pipelines for subscription management - Add ReactivatePipeline to handle subscription reactivation, including scaling Docker services, health verification, status updates, audit logging, and broadcasting status changes. - Introduce RotateCredentialsPipeline for OAuth2 credential rotation, managing the deletion of old apps, creation of new ones, credential storage, access verification, and audit logging. - Create StepRunner to manage job step execution, including lifecycle management and progress broadcasting via SignalR. - Implement SuspendPipeline for subscription suspension, scaling down services, updating statuses, logging audits, and broadcasting changes. - Add UpdateScreenLimitPipeline to update Xibo CMS screen limits and record snapshots. - Introduce XiboFeatureManifests for hardcoded feature ACLs per role. - Add docker-compose.dev.yml for local development with PostgreSQL setup. 2026-03-18 10:27:26 -04:00			`using OTSSignsOrchestrator.Server.Data.Entities;`

			`namespace OTSSignsOrchestrator.Server.Health.Checks;`

			`/// <summary>`
			`/// Checks the age of the OAuth2 application credentials from <see cref="OauthAppRegistry.CreatedAt"/>.`
			`/// Alerts Warning at 180 days, Critical at 365 days. AutoRemediate=false — suggests`
			`/// a "rotate-oauth2" job instead.`
			`/// </summary>`
			`public sealed class OauthAppAgeHealthCheck : IHealthCheck`
			`{`
			`/// <summary>Days at which severity escalates to Warning.</summary>`
			`internal const int WarningThresholdDays = 180;`

			`/// <summary>Days at which severity escalates to Critical.</summary>`
			`internal const int CriticalThresholdDays = 365;`

			`public string CheckName => "OauthAppAge";`
			`public bool AutoRemediate => false;`

			`public Task<HealthCheckResult> RunAsync(Instance instance, CancellationToken ct)`
			`{`
			`var oauthApp = instance.OauthAppRegistries`
			`.OrderByDescending(o => o.CreatedAt)`
			`.FirstOrDefault();`

			`if (oauthApp is null)`
			`return Task.FromResult(new HealthCheckResult(HealthStatus.Degraded,`
			`"No OAuth app registered"));`

			`var ageDays = (DateTime.UtcNow - oauthApp.CreatedAt).TotalDays;`

			`if (ageDays >= CriticalThresholdDays)`
			`{`
			`return Task.FromResult(new HealthCheckResult(HealthStatus.Critical,`
			`$"OAuth2 credentials are {(int)ageDays} days old (critical threshold: {CriticalThresholdDays}d)",`
			`"Create a 'rotate-credentials' job to rotate the OAuth2 application"));`
			`}`

			`if (ageDays >= WarningThresholdDays)`
			`{`
			`return Task.FromResult(new HealthCheckResult(HealthStatus.Degraded,`
			`$"OAuth2 credentials are {(int)ageDays} days old (warning threshold: {WarningThresholdDays}d)",`
			`"Schedule credential rotation before they reach 365 days"));`
			`}`

			`return Task.FromResult(new HealthCheckResult(HealthStatus.Healthy,`
			`$"OAuth2 credentials are {(int)ageDays} days old"));`
			`}`
			`}`